You are here

Cloudflare’s HTML parsing system bug could have exposed information about users

Cloudflare has grown over the last few years as the company offers smart DNS, caching, content optimization on its content delivery network. Many services offered by Cloudflare are free of cost and the company has millions of websites on its reverse proxy system. A newly discovered bug with HTML parsing system used by Cloudflare has raised suspicion of risk of important data.

Cloudflare also offered content delivery and smart caching for content of the websites that use its system. During this process, Cloudflare uses a smart HTML parsing system that modifies certain aspects of HTML pages and also rewrites some information about HTTP links to make them secure. The issue that caused the current bug has been linked to cached pages in search engines like Google, Bing and Yahoo.

The bug has been discovered by Google security engineer Tavis Ormandy while he was working on a project with his team members. They noticed strange data that was coming up from websites using Cloudflare. The issue was reported to Cloudflare security team on February 18.

Cloudflare acted fast and setup a response team to deal with the issue. The feature leading to security risk was disabled immediately and Cloudflare fixed the issue on its network by February 20 completely. The data cached by search engines has also been removed from the caches over the past few days. The issue was reported publicly on Thursday.

Cloudflare CTO John Graham-Cumming informed, “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

He added, “Our natural inclination was to get news of the bug out as quickly as possible, but we felt we had a duty of care to ensure that search engine caches were scrubbed before a public announcement.”